From 4f59603879d5d0f149d8dc6c625722033649e483 Mon Sep 17 00:00:00 2001
From: Rahul Khiyani <rk0850@att.com>
Date: Wed, 13 Mar 2019 10:40:39 -0400
Subject: [PATCH] Calico-etcd: Add pod/container security context

This updates the Calico-etcd chart to include the pod
security context on the pod template

This also adds the container security context to set
readOnlyRootFilesystem to true

Change-Id: I10ff398d7a552d5287d841ca39c77ea097f7e67e
---
 calico/templates/daemonset-calico-etcd.yaml | 4 ++--
 calico/values.yaml                          | 7 +++++++
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/calico/templates/daemonset-calico-etcd.yaml b/calico/templates/daemonset-calico-etcd.yaml
index a8f83da77..2ede67cbc 100644
--- a/calico/templates/daemonset-calico-etcd.yaml
+++ b/calico/templates/daemonset-calico-etcd.yaml
@@ -51,8 +51,7 @@ spec:
         # a failure.  This annotation works in tandem with the toleration below.
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
-      securityContext:
-        readOnlyRootFilesystem: true
+{{ dict "envAll" $envAll "application" "calico" | include "helm-toolkit.snippets.kubernetes_pod_security_context" | indent 6 }}
       serviceAccountName: {{ $serviceAccountName }}
       tolerations:
         # This taint is set by all kubelets running `--cloud-provider=external`
@@ -77,6 +76,7 @@ spec:
         - name: calico-etcd
 {{ tuple $envAll "calico_etcd" | include "helm-toolkit.snippets.image" | indent 10 }}
 {{ tuple $envAll $envAll.Values.pod.resources.calico_etcd | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
+{{ dict "envAll" $envAll "application" "calico" "container" "calico_etcd" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
           env:
             - name: CALICO_ETCD_IP
               valueFrom:
diff --git a/calico/values.yaml b/calico/values.yaml
index 5b8da9ec0..29e5ae886 100644
--- a/calico/values.yaml
+++ b/calico/values.yaml
@@ -37,6 +37,13 @@ images:
       - calico_kube_controllers
 
 pod:
+  security_context:
+    calico:
+      pod:
+        runAsUser: 0
+      container:
+        calico_etcd:
+          readOnlyRootFilesystem: true
   resources:
     enabled: false
     jobs: